ADVERTISEMENT

ClickFix access broker campaign hits Windows with Python-driven backdoors

Businesses are being warned about a new cyber campaign targeting Windows environments where getting in is only the beginning – not the end – of the attack.

Microsoft Windows, vulnerability

Image by Cybernews.

Ann-Marie Corvin
Ann-Marie Corvin Senior Journalist
Feb 9, 2026 3 min read
Jurgita Lapienyte justinasv Izabele Pukenaite vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Add us as your Preferred Source on Google.

Blending into systems, using Python backdoors

"Analysis of recovered artifacts confirmed the attacker deployed multiple independent implants, rather than relying on a single payload. The primary Python implant functioned as a lightweight backdoor capable of command execution, host reconnaissance, and follow-on payload delivery, largely orchestrating living-off-the-land activity through native Windows utilities and PowerShell rather than custom binaries."
ARC Labs
ADVERTISEMENT
"The coexistence of Python backdoors and a reflective DLL implant highlights a deliberate defense-evasion and persistence strategy. By mixing scripting-based and native implants, the attacker reduced reliance on any single execution method, making complete eviction more difficult. This layered tooling aligns more closely with interactive intrusion and access brokerage operations than with single-purpose malware delivery."

"From a defender’s perspective, this blurs the line between scripting abuse and traditional malware."
ARC Labs

Targets include Active Directory

clickfix phishing attack
Employees warned to treat unsolicited instructions, especially requests to open ‘Run and Paste’ commands, as a major warning sign.

ADVERTISEMENT